Описание
There is a MEDIUM severity vulnerability affecting CPython.
Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
A regular expression denial of service (ReDos) vulnerability was found in Python's tarfile module. Due to excessive backtracking while tarfile parses headers, an attacker may be able to trigger a denial of service via a specially crafted tar archive.
Отчет
This vulnerability is classified as moderate severity rather than important because while it does allow for a denial of service (DoS) attack via excessive backtracking in the tarfile module, it does not enable remote code execution or compromise the integrity or confidentiality of data. Exploitation requires an attacker to provide a specially crafted tar archive and relies on the victim's system processing that file, which limits the attack vector. Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as 'Not affected' as they just provide "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | python3.12 | Not affected | ||
| Red Hat Enterprise Linux 6 | python | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python | Out of support scope | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-nvidia-rhel9 | Affected | ||
| Red Hat Enterprise Linux 7.7 Advanced Update Support | python3 | Fixed | RHSA-2024:8490 | 28.10.2024 |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | python3 | Fixed | RHSA-2025:1750 | 24.02.2025 |
| Red Hat Enterprise Linux 8 | python3 | Fixed | RHSA-2024:6975 | 24.09.2024 |
| Red Hat Enterprise Linux 8 | python39 | Fixed | RHSA-2024:8359 | 23.10.2024 |
| Red Hat Enterprise Linux 8 | python39-devel | Fixed | RHSA-2024:8359 | 23.10.2024 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
There is a MEDIUM severity vulnerability affecting CPython. Regul ...
EPSS
7.5 High
CVSS3